Log management review: ArcSight Logger

ArcSight Logger 4 meets all the requirements of enterprise-grade log management, with plenty of flexibility and options

ArcSight has been a pioneer in the security event management business since 2000, and the company's leadership shows in the richness, flexibility, and maturity of its offering. The product lineup is led by the ArcSight Enterprise Security Manager and Logger event log management appliances, although the company has smaller appliances and companion modules for identity-based and compliance monitoring.

Unlike most of the products in this review (all except Splunk), which throw in some SIEM functionality, Logger is strictly for event log collection and reporting. It doesn't include event processing rule sets or make decisions about incoming information and alert you to security events. Rather, it simply sucks in all of the log information you want to analyze and generates reports on it.

For this review, ArcSight sent me the Logger 4 7200-series appliance (2U) with six 1TB RAID5 drives, the maximum amount of internal storage available. Using default compression, ArcSight says the unit can store 42TB of event storage before needing to archive to external storage, though I did not verify this.

Logger 4 runs on 64-bit Oracle Enterprise Linux with one or two Intel Xeon Quad Core 2.0GHz processors, two or four network interfaces, and 12GB or 24GB of RAM. Initial setup was fast and easy -- standard for today's appliances. Configuration, management, and operations can be done using a command-line interface or an HTTPS-protected Web GUI.

ArcSight Logger: Event log support and management
Two of ArcSight's strengths are the number of client platforms it supports and the many ways that event messages can be sent to the Logger. In addition to being forwarded to Logger directly by the hosts using native protocols (UDP, TCP, Syslog, FTP, SCP, and so on), event messages can be picked up using a variety of different methods (including text files) or collected and sent using agent software called Connectors. ArcSight provides well over 100 different types of connectors, more than any other vendor. If I could think of it, they had it. If they don't have it, you can probably build it. ArcSight FlexConnectors allow admins to create customized connectors for devices and applications that cannot use existing connectors.

Connectors pick up events in their native format, normalize the data, and deliver the structured data to the ArcSight appliance. Connectors give structure to any unstructured log data, which is important because you cannot run ArcSight reports on unstructured data, though you can run text searches on it. Connectors can also perform event filtering, event message caching, and network bandwidth throttling. The only downside is that ArcSight's connector agents are fairly large (their Windows connector is 179MB) compared to other client-side agents and can take more than 10 minutes to install.

12378743815344.png
12804285655097.png
12804498169017.png
12372119206773.png
12355113543399.png
Test Center Scorecard
 
 40%20%20%20% 
ArcSight Logger 410889

9.0

Excellent

1 2 3 Page 1
Page 1 of 3